github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/docs/linux/setup_linux-host_qemu-vm_riscv64-kernel.md (about) 1 # Setup: Debian/Ubuntu host, QEMU vm, riscv64 kernel 2 3 # GCC 4 5 Obtain `riscv64-linux-gnu-gcc` at least GCC version 8. The latest Debian/Ubuntu distributions should 6 provide both cross-compilers in a recent enough version in the `gcc-riscv64-linux-gnu` package. 7 Alternatively, you can also build your own 8 [RISC-V GNU compiler toolchain](https://github.com/riscv/riscv-gnu-toolchain) from source. 9 10 # Kernel 11 12 The following instructions were tested with Linux Kernel `v5.9-rc1`. Create a kernel config with: 13 14 ```shell 15 make ARCH=riscv CROSS_COMPILE=riscv64-linux-gnu- defconfig 16 ``` 17 18 Also enable the [recommended Kconfig options for syzkaller](/docs/linux/kernel_configs.md). 19 20 Then build kernel with: 21 22 ``` 23 make ARCH=riscv CROSS_COMPILE=riscv64-linux-gnu- -j $(nproc) 24 ``` 25 26 # OpenSBI 27 28 Clone the OpenSBI repository and build the bootable OpenSBI image containg the kernel: 29 30 ```shell 31 git clone https://github.com/riscv/opensbi 32 cd opensbi 33 make CROSS_COMPILE=riscv64-linux-gnu- PLATFORM_RISCV_XLEN=64 PLATFORM=generic 34 ``` 35 36 See the OpenSBI documentation for booting on the 37 [QEMU RISC-V Virt Machine Platform](https://github.com/riscv/opensbi/blob/master/docs/platform/qemu_virt.md) 38 for more information. 39 40 # Image 41 42 We will use buildroot to create the disk image. You can obtain buildroot 43 [here](https://buildroot.uclibc.org/download.html). The following instructions 44 were tested with buildroot version 2020.05. First run: 45 46 ```shell 47 make qemu_riscv64_virt_defconfig 48 make menuconfig 49 ``` 50 51 Choose the following options: 52 53 ``` 54 Target packages 55 Networking applications 56 [*] iproute2 57 [*] openssh 58 Filesystem images 59 ext2/3/4 variant - ext4 60 exact size - 1g 61 ``` 62 63 Unselect: 64 65 ``` 66 Kernel 67 Linux Kernel 68 ``` 69 70 Run `make`. 71 72 Then add the following line to `output/target/etc/fstab`: 73 74 ``` 75 debugfs /sys/kernel/debug debugfs defaults 0 0 76 ``` 77 78 Then replace `output/target/etc/ssh/sshd_config` with the following contents: 79 80 ``` 81 PermitRootLogin yes 82 PasswordAuthentication yes 83 PermitEmptyPasswords yes 84 ``` 85 86 Run `make` again. 87 88 # QEMU 89 90 The following instructions were tested with QEMU 5.0. At least QEMU 4.1 is needed. 91 92 # Test kernel and image 93 94 Run: 95 96 ```shell 97 qemu-system-riscv64 \ 98 -machine virt \ 99 -nographic \ 100 -bios /opensbi/build/platform/generic/firmware/fw_jump.bin \ 101 -kernel /linux/arch/riscv/boot/Image \ 102 -append "root=/dev/vda ro console=ttyS0" \ 103 -object rng-random,filename=/dev/urandom,id=rng0 \ 104 -device virtio-rng-device,rng=rng0 \ 105 -drive file=/buildroot/output/images/rootfs.ext2,if=none,format=raw,id=hd0 \ 106 -device virtio-blk-device,drive=hd0 \ 107 -netdev user,id=net0,host=10.0.2.10,hostfwd=tcp::10022-:22 \ 108 -device virtio-net-device,netdev=net0 109 ``` 110 111 This should boot the kernel. Wait for login prompt, then in another console run: 112 113 ``` 114 ssh -p 10022 root@localhost 115 ``` 116 117 ssh should succeed. 118 119 # syzkaller 120 121 Build syzkaller as described [here](/docs/linux/setup.md#go-and-syzkaller), with `riscv64` target: 122 123 ``` 124 make TARGETOS=linux TARGETARCH=riscv64 125 ``` 126 127 Create the manager config `riscv64.cfg` similar to the following one (adjusting paths as necessary): 128 129 ``` 130 { 131 "name": "riscv64", 132 "target": "linux/riscv64", 133 "http": ":56700", 134 "workdir": "/workdir", 135 "kernel_obj": "/linux", 136 "syzkaller": "/gopath/src/github.com/google/syzkaller", 137 "image": "/buildroot/output/images/rootfs.ext2", 138 "procs": 8, 139 "type": "qemu", 140 "vm": { 141 "count": 1, 142 "qemu_args": "-machine virt -bios /opensbi/build/platform/generic/firmware/fw_jump.bin", 143 "kernel": "/linux/arch/riscv/boot/Image", 144 "cpu": 2, 145 "mem": 2048 146 } 147 } 148 ``` 149 150 Alternatively, you may try to use the default OpenSBI firmware provided with QEMU 4.1 and newer by 151 specifying `-machine virt -bios default` in `qemu_args` and pass the kernel image in the `kernel` 152 config option: 153 154 ``` 155 { 156 "name": "riscv64", 157 "target": "linux/riscv64", 158 "http": ":56700", 159 "workdir": "/workdir", 160 "kernel_obj": "/linux", 161 "syzkaller": "/gopath/src/github.com/google/syzkaller", 162 "image": "/buildroot/output/images/rootfs.ext2", 163 "procs": 8, 164 "type": "qemu", 165 "vm": { 166 "count": 1, 167 "qemu_args": "-machine virt -bios default", 168 "kernel": "/linux/arch/riscv/boot/Image", 169 "cpu": 2, 170 "mem": 2048 171 } 172 } 173 ``` 174 175 This would allow to boot a different kernel without having to re-compile OpenSBI. However, on some 176 distributions the default OpenSBI firmware required by the `-bios default` option might not be 177 available yet. 178 179 Finally, run `bin/syz-manager -config riscv64.cfg`. After it successfully starts, you should be able 180 to visit `localhost:56700` to view the fuzzing results. 181 182 In case you encounter issues with starting `syz-manager`, use the `-debug` flag and refer to the 183 [troubleshooting guide](/docs/troubleshooting.md).